Kaspersky performing independent security analysis on OS X (Updated)

The firm's CTO says Apple asked for help—and at just the right time.

This post has been updated (see bottom of post) with a statement from Kaspersky Lab. The title has also been changed to reflect the new information we received.

Apple is drawing upon the expertise of security researchers from Kaspersky Lab when it comes to security on OS X, according to Kaspersky CTO Nikolai Grebennikov. In an interview with Computing News, Grebennikov revealed that Apple had asked his firm to begin analyzing OS X in order to help improve its security. The request follows the recent high-profile Flashback scare, and shows that Apple is beginning to take steps to take OS X security more seriously.

"Mac OS is really vulnerable, and Apple recently invited us to improve its security. We've begun an analysis of its vulnerabilities, and the malware targeting it," Grebennikov told Computing News. "Our first investigations show Apple doesn't pay enough attention to security. For example, Oracle closed a vulnerability in Java, which was a target for a major botnet several months ago."

Following reports that more than a half-million Macs were infected by Flashback thanks to a then-unpatched Java vulnerability in OS X, Kaspersky Lab boldly told members of the media that "Mac OS X invulnerability" to malware is a myth. Although the statement generated grousing among the Mac-using community, it's true—security researchers have been arguing for years that Macs were only perceptibly "safer" because of their relatively low market share. It would only be a matter of time before attackers began focusing on the Mac, and Kaspersky argued last month that we have officially reached that point. "Market share brings attacker motivation," the firm said in April. "Expect more drive-by downloads, more Mac OS X mass-malware. Expect cross-platform exploit kits with Mac-specific exploits."

The fact that Apple is consulting Kaspersky now for help doesn't come as a huge surprise, though. As we have learned from our own sources, Apple often brings in outside firms to present and discuss ideas for OS X and iOS. Since Mac hardware is increasingly becoming a target for malicious attackers, it makes sense that Apple would take the input from firms like Kaspersky more seriously as it prepares to move forward with its next version of OS X, Mountain Lion. Although Mountain Lion will allow users to heavily restrict the origin of software installed on their machines for security purposes, attacks like Flashback don't necessarily need users to install anything in order to take advantage of vulnerabilities. (Flashback installed itself on victims' machines via Java after users visited infected WordPress websites.) As such, malware will likely continue to be a concern for Mac users.

Apple did not respond to our request for comment by publication time.

Update: Kaspersky Lab has reached out to us to say that representation of Kaspersky's supposed collaboration with Apple in Computing News is not accurate and the company is working on having the original article changed. Kaspersky also sent over the following statement on behalf of Grebennikov:

As Mac OS X market share continues to increase, we expect cyber-criminals to continue to develop new types of malware and attack methods. In order to meet these new threats, Kaspersky Lab has been conducting an in-depth analysis of Mac OS X vulnerabilities and new forms of malware.

This security analysis of Mac OS X was conducted independently of Apple; however, Apple is open to collaborating with us regarding new Mac OS X vulnerabilities and malware that we identify during our analysis.

Kaspersky Lab is committed to providing the highest level of security for all of our customers, including Mac OS X, and we will continue to enhance our technologies in order to meet the ever-changing threat landscape.

So Grebennikov thinks it's a good idea to be openly critical of a company he claims is a client? I"m not questioning the validity of his security claims, although Kaspersky is known for being overly dramatic, but this shows that the guy is either deluded into thinking that's a successful way to win & keep business or he's just full of sh*t. Apple is notorious for requiring vendors to be tight-lipped. I don't see them working with a firm like Kaspersky and definitely not continuing the relationship if it does exist.

"Mac OS is really vulnerable, and Apple recently invited us to improve its security. We've begun an analysis of its vulnerabilities, and the malware targeting it," Grebennikov told Computing News. "Our first investigations show Apple doesn't pay enough attention to security..."

I often take the obviously self-serving statements from security vendors with a certain grain of salt. There's no confirmation that Apple contacting Kaspersky actually happened, and with those statements it's unlikely that Apple would continue to work with Kaspersky even if it had been true.

So Grebennikov thinks it's a good idea to be openly critical of a company he claims is a client? I"m not questioning the validity of his security claims, although Kaspersky is known for being overly dramatic, but this shows that the guy is either deluded into thinking that's a successful way to win & keep business or he's just full of sh*t. Apple is notorious for requiring vendors to be tight-lipped. I don't see them working with a firm like Kaspersky and definitely not continuing the relationship if it does exist.

Right, if Jobs was around he'd plant a shoe firmly up Grebennikov's ass. Tim Cook, you're no jobs but channeling him in situations like this might help with the PR.

I didn't realize that Flashback was only attached to WordPress sites. Are Mac users more likely to read a blog than anyone else? It just seems like an odd target. But hey the plus side is that Mac users now get to enjoy the overly intrusive virus scan products just like everyone else....Except us linux users(that don't run as root)

Apple, being notoriously secretive, would probably have demanded a non-disclosure agreement before doing anything involving such a sensitive topic. If anything happened, it was very unofficial to say the least.

I didn't realize that Flashback was only attached to WordPress sites. Are Mac users more likely to read a blog than anyone else? It just seems like an odd target. But hey the plus side is that Mac users now get to enjoy the overly intrusive virus scan products just like everyone else....Except us linux users(that don't run as root)

It's nothing unique to Mac; Wordpress is a common attack vector. There are millions separate of wordpress installs; many of them are not kept up-to-date. An wordpress-based site with an outdated codebase and a substantial following is a perfect method for malware attacks.

I've never heard this before, that's very interesting. I wonder how often Microsoft brings in outside firms to present ideas for Windows.

Quite often, actually. Microsoft even has extensive beta tests of most of their products (OS itself and other things like Visual Studio). Additionally, they actually listen quite a bit to users in products like Visual Studio and add features to the language(s), even.

So Grebennikov thinks it's a good idea to be openly critical of a company he claims is a client? I"m not questioning the validity of his security claims, although Kaspersky is known for being overly dramatic, but this shows that the guy is either deluded into thinking that's a successful way to win & keep business or he's just full of sh*t. Apple is notorious for requiring vendors to be tight-lipped. I don't see them working with a firm like Kaspersky and definitely not continuing the relationship if it does exist.

Right, if Jobs was around he'd plant a shoe firmly up Grebennikov's ass. Tim Cook, you're no jobs but channeling him in situations like this might help with the PR.

So Steve Job's denial would really address the problem? come on, put down the kool aid and grow up. Tim Cook, unlike Steve Jobs, is running the organisation like a business with a professional outlook and that includes not throwing a temper tantrum when an executive from another company says something about Apple's products. Sorry but to throw a Steve Job's like temper tantrum post Flashblack would be a PR disaster of epic proportions.

What Apple need to do is work with security firms and send a clear signal that they take security seriously and thus working with experts in the industry to address the gap between their own products and what needs to be done in terms of security. A clear signal in that direction will demonstrate that Apple is more than just chest beating but actually serious about improving its security record.

I think the next article that refers to the "myth" of OS X invulnerability will have to link to someone seriously stating that as a fact.

Anyway: True or not, it's certainly a good thing if Apple starts bringing in outside consultants for code audits. It is notoriously hard to audit your own code. At this point I think they should start by making the free Snow Leopard offer more public, to at least let Intel Leopard users be safe a while longer.

Apple should take advice from Microsoft, not Kaspersky. They actually had to work through very similar problems themselves - anyone remember when Microsoft had its own JVM which was frequently targeted by exploits?

Microsoft offers many of its security best practices as free information via MSDN. If Apple put the security of its OS and the needs + expectations of its users first and its pride second, they would be gladly accepting Microsoft as a partner in helping secure OSX. It's in everyones best interest to have a secure computing ecosystem - regardless of platform.

Appart from slow updates when problems are discovered, in what other areas dose Apple have weaknesses?

OSX's core security structure is good; it's based on FreeBSD. Their weakness is the speed with with they address security flaws and close them. Flashback could have been avoided, or greatly mitigated, if Apple either farmed out the Java updates to Oracle or incorporated Oracle's updates into their update chain. Responsiveness to security flaws is not a simple issue; it can touch every area of software development and sometimes requires disparate points of an organization to work together.

Compare with Microsoft: Windows core security structure still lags behind Unix. However, they've become very nimble with timely patches. This wasn't out of the goodness of their heart, of course. MSBlast and its contemporaries did huge damage to the windows ecosystem; it toppled Internet Explorer from its stranglehold on browser share and forced MS to sideline their Longhorn program to push out a service pack to plug the holes. We'll see if Apple needs such strong persuasion to improve their security policies.

Hahaha, what will the Mac fanboys say this time? I thought these AV vendors were just scammers that wanted to sell you AV software? Lawl...

I guess they will say that they are still scammers that want to sell AV software...I don't have Java on my mac installed (why should I? Haven't seen an app in years and if I should see one there are disposable VMs) and as soon as an App wants root permissions for installations it doesn't get installed (Flash/Office/VMware are notable exceptions).

Anyway I remember that Apple got some security people to look over Lion last year before it got released. I think there was even an arstechnica report about that.

As we have learned from our own sources, Apple often brings in outside firms to present and discuss ideas for OS X and iOS.

I've never heard this before, that's very interesting. I wonder how often Microsoft brings in outside firms to present ideas for Windows.

As far as security goes, they definitely bring in outside consultants (those they can't hire directly anyways). I know several people on a contractor team who audited the Vista kernel and flushed out many hundreds of security concerns before it went into production.

Appart from slow updates when problems are discovered, in what other areas dose Apple have weaknesses?

I'd like to see a defined patching policy that would hopefully support more than the x and x-1 version of the OS (assuming x and x-1 weren't sufficiently long). With Mountain Lion just around the corner my Snow Leopard system is about to lose security patch support.

I think the next article that refers to the "myth" of OS X invulnerability will have to link to someone seriously stating that as a fact.

I think "the myth" exists because for years certain Apple-boosters in the mainstream media (for example, Walt Mossberg) have been recommending Macs due (in part) to their (supposed) lack of risk for malware infection. Personally, I have always believed this to be a myth, but I suppose "security by obscurity" could be considered a benefit if it results in a lower incidence of actual malware attacks.

Presumably, Kaspersky will tell Apple that there are tons of issues with OS X, which can only be fixed if each and every user splashes out on their software.

Here's hoping they do. Then Apple can tell them to shove it and start working on a front end to ClamAV like OS X Server does and put some extra talent behind ClamAV. Or they can buy a small security firm and build their own antimalware solution. But I agree with most, if Apple is really working with Kaspersky it won't be long before they look for someone else.

I'd definitely add legacy patching to my Apple wish-list. The release of a new OS package isn't a great reason to cease patching older versions. Of course they might not yet have the legacy user-base to require longer life-cycles on the OS (I know MS would LOVE to get out of the XP business).

I am not going to take one side on this or another but Daggar asked for an expansion on something you said. You asked for counterexamples when none were given.I had taken it as standard internet hyperbole. That it was your opinion and its not really relevant to the point so I could care less. However that was kind of douche response.

On Topic: Apple still advertises the security of there system and the lack of a need for AV as a key feature for OS X. I have to believe that feeds into security as no small part.Before anyone goes on about semantics and saying that the recent exposures to OS X are not viruses(you are correct). However Viruses(there heyday were floppies, CDs removable media) have becoming marketing buzzwords for Malware. It sounds scary and since Viruses have fallen out of favor its more likely or not to be true for most systems. Most new malware issues are trojans. Droppers are second with spyware and worms coming in next at that respective order for any system.Viruses will continue to be used in marketing until Colbert releases bears!

So you can claim something and then just admit that you've got no proof or anything to back it up? (well technical details in that case, "proof" doesn't make much sense in that regard) So that's how it works - good to know.

I mean may be possible, but without some sensible argument that's just trolling.

"[This] shows that Apple is beginning to take steps to take OS X security more seriously"

This seems like a rather imprecise description of the situation. It suggests that Apple hasn't taken security seriously. While I would prefer that Apple devote more time and attention to security, I don't pretend that Apple has done nothing.

Ironically, Apple is at the forefront of securing computers. However much of that work has been done in the mobile space where we aren't saddled with legacy constraints. They are attempting to do the same thing in desktopland but the industry is being dragged kicking and screaming.

Even more irony. Geeks are the ones clamoring for more security. The masses are blissfully satisfied with their security experience with OS X. Meanwhile the geeks weren't affected by the recent malware outbreak (which didn't actually do anything malicious to infected computers). Meanmeanwhile, geeks are resisting Apple's solution, the walled garden.

One thing is for sure, in this topic there is enough irony to go around.

Windows core security structure <- I'm not even sure what this actually "represents".

Some of the lower levels of OSX were based on FreeBSD and NetBSD combined with NeXTSTEP and Mach - it's really not as based on FreeBSD as some people make it out to be. Microsoft's security issues probably more stem from trying to support a lot of legacy stuff that people keep finding holes in rather than a "true" design flaw in the OS.

So Steve Job's denial would really address the problem? come on, put down the kool aid and grow up. Tim Cook, unlike Steve Jobs, is running the organisation like a business with a professional outlook and that includes not throwing a temper tantrum when an executive from another company says something about Apple's products. Sorry but to throw a Steve Job's like temper tantrum post Flashblack would be a PR disaster of epic proportions.

Don't be silly, there is a difference between booting a contractor and throwing a temper tantrum. ATI got booted and learned a valuable lesson. As an aside, can you imagine Elop talking shit about Windows Phone or MS about Nokia? No. If you're working with someone, I assume a certain amount of confidence is expected and required.Update: Article was updated. Somebody probably got on the phone and had a word with Kaspersky...

Oh... I see. Going back and reading a couple of the author's linked articles, she has been flogging the same strawman argument for a number of articles now. She is out to prove that Mac users were wrong for thinking they were invulnerable. The thing is though, almost nobody has made that argument. Maybe a few fringe wackos, but certainly not enough to make it the lead line in so many of her articles.

It is as ludicrous as asserting that Jacqui Cheng is not a kleptomaniac. Jacqui does not steal stuff every time she goes shopping.

You see, isn't it ludicrous? Please, a little restraint from that sensationalized angle. It would be greatly appreciated. You can write good articles on this topic without the click-bait.